b'                              U.S. Department of Justice\n                         Office of the Inspector General\n                                           Audit Division\n\n\n\n\n   Audit Report\n\n  Independent Evaluation\n      Pursuant to the\n  Government Information\n    Security Reform Act\n     Fiscal Year 2002\n\nThe Bureau of Prisons\xe2\x80\x99 Inmate\n    Telephone System II\n\n\n\n\n     November 2002\n         03-04\n\x0c                 INDEPENDENT EVALUATION PURSUANT TO THE\n               GOVERNMENT INFORMATION SECURITY REFORM ACT\n                            FISCAL YEAR 2002\n\n                              THE FEDERAL BUREAU OF PRISONS\xe2\x80\x99\n                                INMATE TELEPHONE SYSTEM II\n\n                             OFFICE OF THE INSPECTOR GENERAL\n                                    EXECUTIVE SUMMARY\n\n     The Federal Bureau of Prisons (BOP) is tasked with protecting society\nby confining offenders in the controlled environments of prisons and\ncommunity-based facilities that are safe, humane, cost-efficient, and\nappropriately secure; and providing work and other self-improvement\nopportunities to assist offenders in becoming law-abiding citizens.\n\n      The Inmate Telephone System II (ITS II) is a system that allows\ninmates at a federal correctional facility to place telephone calls while\nproviding BOP staff with the ability to control their access, make records of\nthe calls, adjust inmates\xe2\x80\x99 commissary account, and bill for the calls.\n\n      The Office of the Inspector General (OIG) selected ITS II as one of five\nsensitive but unclassified (SBU) systems to review pursuant to the\nGovernment Information Security Reform Act (GISRA) for the fiscal year\n(FY) 2002. The OIG is required by GISRA to perform an independent\nevaluation of the Department of Justice\xe2\x80\x99s (Department) information security\nprogram and practices. This report contains the results of the ITS II audit.\nSeparate reports will be issued for each of the other systems evaluated\npursuant to GISRA, including three systems that process classified\ninformation.\n\n      Under the direction of the OIG and in accordance with Government\nAuditing Standards, PricewaterhouseCoopers LLP (PwC) performed the audit\nof ITS II. The audit took place from May through July 2002 and consisted of\ninterviews, on-site observations, and reviews of Department and component\ndocumentation to assess ITS II\xe2\x80\x99s compliance with GISRA and related\ninformation security policies, procedures, standards, and guidelines.1 We2\nused commercial-off-the-shelf and proprietary tools to conduct vulnerability\n\n\n1\n    In a September 1997 audit, report number 97-26, the OIG recommended that the Department develop effective\n    computer security program guidance. The Department then revised its policy and released DOJ Order 2640.2D,\n    \xe2\x80\x9cInformation Technology Security\xe2\x80\x9d in July 2001, which was used in the analysis of this year\'s review.\n\n2\n    In this report, "we" refers either to the OIG or to PwC working under the direction of the OIG.\n                                                          -i-\n\x0ctests and analyses of significant operating system integrity and security\ncontrols.\n\n       During the course of our work for this review, we found improvements\nor satisfactory operations within the ITS II information security controls that\nare being reported. Specifically:\n\n   \xe2\x80\xa2   BOP is in the process of having ITS II recertified.\n\n   \xe2\x80\xa2   BOP is in the process of addressing findings identified in the June 2002\n       security test and evaluation (ST&E) report.\n\n   \xe2\x80\xa2   BOP staff have signed the Rules of Behavior.\n\n   \xe2\x80\xa2   BOP facilities are controlled by security guards. In addition, all BOP\n       employees and contractor staff must have an access badge or be\n       escorted by BOP personnel to gain entry to BOP facilities.\n\n        Despite these improvements, we assessed management, operational,\nand technical controls at a medium to high risk to the protection of the\nITS II from unauthorized use, loss, or modification. Specifically, we\nidentified vulnerabilities in 13 of the 17 control areas. Two of the 13\nvulnerabilities were identified as high risks to the protection of ITS II as\nindicated in the following chart.\n\n\n\n\n                                      - ii -\n\x0c                                                                                VULNERABILITIES\n                           CONTROL AREAS3\n                                                                                    NOTED\n          Management Controls\n          1.    Risk Management\n          2.    Review of Security Controls\n          3.    Life Cycle                                                                     \xe2\x88\x9a\n          4.    Authorize Processing\n                (Certification and Accreditation)                                              \xe2\x88\x9a\n          5.    System Security Plan                                                           \xe2\x88\x9a\n          Operational Controls\n          6.    Personnel Security                                                             \xe2\x88\x9a\n          7.    Physical and Environmental Protection                                          \xe2\x88\x9a\n          8.    Production, Input/Output Controls                                              \xe2\x88\x9a\n          9.    Contingency Planning                                                           \xe2\x88\x9a\n          10.   Hardware and Systems Software Maintenance                                      \xe2\x88\x9a\n          11.   Data Integrity                                                                 \xe2\x88\x9a\n          12.   Documentation\n          13.   Security Awareness, Training, and Education\n          14.   Incident Response Capability                                                   \xe2\x88\x9a\n          Technical Controls\n          15. Identification and Authentication                                                \xe2\x88\x9a*\n          16. Logical Access Controls                                                          \xe2\x88\x9a*\n          17. Audit Trails                                                                     \xe2\x88\x9a\n       Source: The OIG\xe2\x80\x99s FY 2002 GISRA audit of ITS II\n\n       \xe2\x88\x9a* Significant vulnerability in which risk was noted as high. A high-risk vulnerability is defined as one where\n          extremely grave circumstances can occur by allowing a remote or local attacker to violate the security\n          protection of a system through user or root account access, gaining complete control of a system and\n          compromising critical information.\n\n\n     As a result of the findings identified in this report, we are providing 28\nrecommendations for improving ITS II to ensure that BOP management:\n\n      \xe2\x80\xa2    Incorporate security requirements into the development and\n           acquisition phases of the BOP system development life cycle (SDLC).\n\n      \xe2\x80\xa2    Incorporate formal procedures to document certification/testing\n           activities, update system documentation when security controls are\n           added, retest security controls, and have the system recertified after\n           changes have been made.\n\n\n3\n    Control Areas as described in the National Institute of Standards and Technology (NIST) Special Publication\n    (SP) 800-26, \xe2\x80\x9cSecurity Self-Assessment Guide for Information Technology Systems.\xe2\x80\x9d\n                                                        - iii -\n\x0c\xe2\x80\xa2   Incorporate the in-place operating controls as outlined in the\n    June 2002 ST&E report and complete the "Conditions of Certification"\n    outlined in the ITS II certification statement.\n\n\xe2\x80\xa2   Incorporate the guidelines for developing security plans outlined in the\n    NIST SP 800-18 into the current ITS II security plan and incorporate\n    the plan into the overall strategic plan for the BOP.\n\n\xe2\x80\xa2   Conduct an analysis on the current staff shortages by determining the\n    current security and system administrator skills on the BOP team and\n    determine what skills the BOP needs to close the "gap."\n\n\xe2\x80\xa2   Distribute the BOP\xe2\x80\x99s documented procedures on how to maintain ITS II\n    user accounts to ITS II security staff and contractor personnel.\n    Additionally, enforce the procedures as required by the BOP\xe2\x80\x99s Directive\n    1237.11.\n\n\xe2\x80\xa2   Implement all of the recommendations outlined in the June 2002 ST&E\n    report, specifically those outlined in section 4.12.\n\n\xe2\x80\xa2   Establish a formal documented process to control the transfer of BOP\n    media and data.\n\n\xe2\x80\xa2   Distribute the contingency plan to appropriate individuals, including\n    contractor staff and periodically test the contingency plan.\n\n\xe2\x80\xa2   Develop a configuration standard for all systems that incorporates the\n    most restrictive security settings possible.\n\n\xe2\x80\xa2   Develop policies and procedures surrounding the use of intrusion\n    detection software and integrity validation software, and implement\n    these policies and procedures on critical servers.\n\n\xe2\x80\xa2   Develop a stronger policy for incident handling, response, and\n    personnel support.\n\n\xe2\x80\xa2   Enforce current Department password policies and procedures and\n    install and activate a password filter on all servers to enforce\n    parameters that enforce restrictions on passwords.\n\n\xe2\x80\xa2   Develop, implement, and monitor documented policy establishing\n    specific security standards and settings for access controls.\n\n                                  - iv -\n\x0c\xe2\x80\xa2   Develop, implement, and monitor documented policy establishing\n    specific security standards and settings for user authentication and\n    access.\n\n\xe2\x80\xa2   Implement the system key utility, restrict services to run in a secured\n    context, and remove all unnecessary services.\n\n\xe2\x80\xa2   Develop, implement, and monitor documented policy establishing\n    specific security standards and settings for network controls.\n\n\xe2\x80\xa2   Develop, implement, and monitor documented policy establishing\n    specific security standards and settings for user and group\n    management controls.\n\n\xe2\x80\xa2   Develop, implement, and monitor documented policy establishing\n    specific security standards and settings for account integrity\n    management.\n\n\xe2\x80\xa2   Develop, implement, and monitor documented policy establishing\n    specific security standards and settings for file system access.\n\n\xe2\x80\xa2   Develop, implement, and monitor documented policy establishing\n    specific security standards and settings for maintenance controls.\n\n\xe2\x80\xa2   Develop, implement, and monitor documented policy establishing\n    specific security standards and settings for Windows NT registry\n    settings.\n\n\xe2\x80\xa2   Obtain the latest security patches from the operating system vendor.\n\n\xe2\x80\xa2   Develop, implement, and monitor documented policy establishing\n    specific security standards and settings for router configurations.\n\n\xe2\x80\xa2   Implement Cisco\'s fail-over capabilities on critical external routers.\n\n\xe2\x80\xa2   Develop, implement, and monitor documented policy establishing\n    specific security standards and settings for command line access.\n\n\n\n\n                                   -v-\n\x0c   \xe2\x80\xa2   Develop documented procedures for logging and monitoring system\n       activity and require that audit logs be reviewed periodically.\n\n   We concluded that these vulnerabilities occurred because BOP\nmanagement did not fully develop, document, or enforce agency-wide\npolicies in accordance with current Department policies and procedures.\nAdditionally, we believe the Department did not enforce their security\npolicies and procedures to ensure ITS II is protected from unauthorized use,\nloss, or modification through its certification and accreditation process. If\nnot corrected, these security vulnerabilities threaten ITS II and its data with\nthe potential for unauthorized use, loss, or modification.\n\n\n\n\n                                     - vi -\n\x0c                                    TABLE OF CONTENTS\n\n                                                                                           Page\n\nOBJECTIVE, SCOPE, AND METHODOLOGY ........................................... 1\n\nINMATE TELEPHONE SYSTEM II (ITS II) NETWORK ENVIRONMENT......... 2\n\nSUMMARY RESULTS OF THE AUDIT .................................................... 3\n\nFINDINGS AND RECOMMENDATIONS ................................................. 4\n\nI.   Management Controls ................................................................. 4\n      A. Life Cycle .......................................................................... 4\n      B. Authorize Processing (Certification and Accreditation) ............... 6\n      C. System Security Plan ........................................................... 8\n\nII. Operational Controls................................................................... 9\n     A. Personnel Security ............................................................. 10\n     B. Physical and Environmental Protection .................................. 12\n     C. Production, Input/Output Controls ....................................... 13\n     D. Contingency Planning ........................................................ 14\n     E. Hardware and Systems Software Maintenance ....................... 16\n     F. Data Integrity ................................................................... 17\n     G. Incident Response Capability............................................... 18\n\nIII. Technical Controls .................................................................... 19\n      A. Identification and Authentication.......................................... 19\n      B. Logical Access Controls....................................................... 21\n      C. Audit Trails ....................................................................... 41\n\nCONCLUSION ............................................................................... 42\n\nAPPENDIX I- NATIONAL INSTUTE OF STANDARDS AND TECHNOLOGY\n            GENERAL CONTROL AREAS .......................................... 43\n\nAPPENDIX II - FEDERAL BUREAU OF PRISONS RESPONSE TO THE OIG\n              OIG DRAFT REPORT .................................................. 49\n\nAPPENDIX III - OIG, AUDIT DIVISION ANALYSIS AND SUMMARY OF\n              ACTIONS NECESSARY TO CLOSE THE REPORT ............. 60\n\x0c            OBJECTIVE, SCOPE, AND METHODOLOGY\n\n      The fiscal year (FY) 2001 Defense Authorization Act (Public Law\n106-398) includes Title X; subtitle G, \xe2\x80\x9cGovernment Information Security\nReform Act\xe2\x80\x9d (GISRA). GISRA became effective on November 29, 2000, and\namends the Paperwork Reduction Act of 1995 by enacting a new subchapter\non "Information Security." It requires federal agencies to:\n\n  \xe2\x80\xa2   Have an annual independent evaluation of their information security\n      and practices performed.\n  \xe2\x80\xa2   Ensure information security policies are founded on a continuous risk\n      management cycle.\n  \xe2\x80\xa2   Implement controls that assess information security risks.\n  \xe2\x80\xa2   Promote continuing awareness of information security risks.\n  \xe2\x80\xa2   Continually monitor and evaluate information security policy.\n  \xe2\x80\xa2   Control effectiveness of information security practices.\n  \xe2\x80\xa2   Provide a risk assessment and report on the security needs of the\n      agencies\xe2\x80\x99 systems, and include the report in their budget request to\n      the Office of Management and Budget (OMB).\n\n      The objective of the audit was to determine the Department of\nJustice\xe2\x80\x99s (Department) compliance with the requirements of GISRA. The\nInmate Telephone System II (ITS II) was selected as one of the subset of\nsystems to be tested to determine the effectiveness of the Department\xe2\x80\x99s\noverall security program for FY 2002. In determining if the Department is\ncompliant with GISRA requirements, PricewaterhouseCoopers LLP (PwC)\nassessed whether adequate computer security controls existed to protect the\nITS II from unauthorized use, loss, or modification.\n\n      Under the direction of the OIG and in accordance with Government\nAuditing Standards, PwC performed the audit of ITS II. The audit took place\nfrom May through July 2002. During our audit, we met with the Federal\nBureau of Prisons (BOP) officials from the ITS II System Control Center. We\nreviewed documentation that included the BOP\xe2\x80\x99s information technology (IT)\ndocuments, organizational structures, OMB GISRA reporting information, and\nprior OIG and Department reports to assess the ITS II compliance with\nGISRA and related information security policies, procedures, standards, and\nguidelines. We performed test work at BOP Headquarters in Washington,\nD.C.\n\n\n\n\n                                    -1-\n\x0c      For the interviews conducted, we used the questionnaire contained in\nthe National Institute of Standards and Technology (NIST) Special\nPublication (SP) 800-26, \xe2\x80\x9cSecurity Self-Assessment Guide for Information\nTechnology Systems.\xe2\x80\x9d This questionnaire contains specific control objectives\nand suggested techniques against which the security of a system or group of\ninterconnected systems can be measured. The questionnaire contains 17\nareas under 3 general controls (management, operational, and technical).\nThe areas contain 36 critical elements and 225 supporting security control\nobjectives and techniques (questions) about the system. The critical\nelements are derived primarily from OMB Circular A-130 and are integral to\nan effective IT security program. The control objectives and techniques\nsupport the critical elements. If a number of the control objectives and\ntechniques are not implemented, the critical elements have not been met.\n\n      The audit approach was based on the General Accounting Office\xe2\x80\x99s\nFederal Information System Controls Audit Manual, the Chief Information\nOfficer Council Framework, OMB Circular A-130, and guidance established by\nNIST. These authorities prescribe a review that evaluates the adequacy of\nmanagement, operational, and technical controls over control areas listed in\nAppendix I.\n\nINMATE TELEPHONE SYSTEM II (ITS II) NETWORK ENVIRONMENT\n\n      The ITS was developed in 1988. In an August 1999 review\nperformed by the OIG, we found that a significant number of federal\ninmates use prison telephones to commit serious crimes while\nincarcerated \xe2\x80\x93 including murder, drug trafficking, and fraud. BOP\nmanagement acknowledged the shortcomings of its inmate telephone\nsystem and indicated that a more sophisticated version of the inmate\ntelephone system called (ITS II), was being developed to provide more\noptions for restricting and controlling inmate access to prison telephones.\n\n       While the former inmate telephone system was self-contained at\neach institution and was incapable of sharing data through a central\ndatabase, ITS II is designed to allow the BOP to access inmate telephone\ninformation from all BOP institutions simultaneously. ITS II provides the\nBOP with the ability to control their access, make records of the calls,\nadjust the inmates\xe2\x80\x99 commissary account, and bill inmates for the calls.\nITS II also allows the BOP\xe2\x80\x99s Central Office to monitor and record\ntelephone conversations of any inmate in the country.\n\n\n\n\n                                     -2-\n\x0c      ITS II provides wide-area network circuits, routers, Ethernet\nswitches, and network management for ITS II computer systems and\nnetworking equipment. The ITS II consists of UNIX and Windows NT\nplatforms.\n\nSUMMARY RESULTS OF THE AUDIT\n\n      We obtained audit evidence to determine whether adequate computer\nsecurity controls existed to protect ITS II from unauthorized use, loss, or\nmodification. Our testing consisted of assessing management, operational,\nand technical controls for 17 critical areas for the ITS II. Our testing\ndisclosed vulnerabilities within 13 of the 17 areas. Two of the 13\nvulnerabilities were within technical controls and were identified as high risks\nto the protection of ITS II.\n\n       We concluded that these vulnerabilities occurred because ITS II\nmanagement did not fully develop, document, or enforce agency-wide\npolicies in accordance with current Department policies and procedures.\nAdditionally, we believe the Department did not enforce their security\npolicies and procedures to ensure ITS II is protected from unauthorized use,\nloss, or modification through its certification and accreditation process. If\nnot corrected, these security vulnerabilities threaten ITS II and its data with\nthe potential for unauthorized use, loss, or modification.\n\n\n\n\n                                     -3-\n\x0c                    FINDINGS AND RECOMMENDATIONS\n\n       Our review disclosed that security controls need improvement to\nfully protect the ITS II from unauthorized use, loss, or modification.\nSpecifically we found vulnerabilities in the areas of life cycle; authorize\nprocessing; system security plan; personnel security; physical and\nenvironmental protection; production, input/output controls; contingency\nplanning; hardware and systems software maintenance; data integrity;\nincident response capability; identification and authentication; logical\naccess controls; and audit trails.\n\nI.    Management Controls. Management controls are techniques and\n      concerns that are normally addressed by management in the\n      organization\'s computer security program. In general, they focus on\n      the management of the computer security program and the\n      management of risk within the organization.\n\n                                                       Vulnerabilities\n                Management Controls\n                                                            Noted\n         Risk Management\n         Review of Security Controls\n         Life Cycle                                            \xe2\x88\x9a\n         Authorize Processing\n         (Certification and Accreditation)                     \xe2\x88\x9a\n         System Security Plan                                  \xe2\x88\x9a\n\n      As a result of testing management controls, we confirmed that controls\nwere adequate for ITS II\xe2\x80\x99s risk management and review of security controls.\nVulnerabilities were identified within the following management control\nareas:\n\nA. Life Cycle. Security is an important part of the system life cycle, and\n   security is best managed if planned for the entire IT system life cycle.\n   There are many models for the IT system life cycle but most contain five\n   basic phases: initiation, development/acquisition, implementation,\n   operation, and disposal.\n\nIssue: Inadequate System Development Life Cycle (SDLC)\n\nCondition:\n\nThe BOP has not incorporated security requirements into its ITS II SDLC\nprocedures. During the acquisition and development phases of ITS II, the\n\n\n\n                                             -4-\n\x0cSDLC did not require the BOP to address security issues that may have\narisen.\n\nCause:\n\nThe BOP ITS II management failed to fully implement its SDLC methodology.\n\nCriteria:\n\nDOJ Order 2640.2D, Information Technology Security, states that\ncomponents shall develop and implement a risk-based security process to\nprovide security throughout the life cycle of all systems supporting their\noperations and assets.\n\nRisk:\n\nWithout security requirements being outlined for the development and\nacquisition phases of the SDLC, complications in the development process\ncan arise that could cause system vulnerabilities to be present in the final\nproduction system.\n\nRecommendation:\n\n   1. We recommend that the BOP Director ensure that BOP management\n      incorporate security requirements into the development and\n      acquisition phases of the SDLC.\n\nIssue: Inadequate Change Control Procedures\n\nCondition:\n\nITS II does not have adequate change control procedures in place to:\n(a) document certification testing activities, (b) update system\ndocumentation when security controls are added, (c) retest security controls,\nor (d) recertify the system after changes have been made.\n\nCause:\n\nBOP management failed to fully implement the SDLC methodology.\n\nCriteria:\n\nDOJ Order 2640.2D requires that a configuration management process be in\nplace to maintain control of changes to any system.\n\n\n\n\n                                      -5-\n\x0cRisk:\n\nThe absence of adequate change control procedures in the SDLC can lead to\nnumerous complications if or when changes are made to ITS II. This can\ninclude system failures, system vulnerabilities, and other system flaws. In\naddition, any changes made for security purposes will not be documented.\n\nRecommendation:\n\n   2. We recommend that the BOP Director ensure that BOP management\n      incorporate documented procedures to document certification testing\n      activities, update system documentation when security controls are\n      added, retest security controls, and recertify the system after changes\n      have been made.\n\nB. Authorize Processing (Certification and Accreditation). Authorize\n   processing (also referred to as certification and accreditation) provides a\n   form of assurance of the security of the system. Computer security\n   assurance is the degree of confidence one has that the security\n   measures, both technical and operational, work as intended to protect\n   the system and the information it processes. Certification is a formal\n   process for testing components or systems against a specified set of\n   security requirements while accreditation is a management official\'s\n   formal acceptance of the adequacy of a system\'s security. Computer\n   security accreditation forces managers and technical staff to work\n   together to find workable, cost-effective solutions of security needs,\n   technical constraints, operational constraints, and mission or business\n   requirements.\n\nIssue: Operating Controls Not In Place\n\nCondition:\n\nAlthough ITS II was certified and accredited, we found that BOP\nmanagement did not improve operating controls outlined in a security test\nand evaluation (ST&E) report completed by a contractor in June 2002. The\nreport identified 13 areas of weaknesses and correlating recommendations\nfor improving operating controls over ITS II. In addition, areas such as virus\ncontrols, password controls, and user level access controls outlined in a\nDecember 2000 certification statement as conditions for certification had not\nbeen met.\n\n\n\n\n                                     -6-\n\x0cCause:\n\nBOP management did not update the system resources to fully improve\nsecurity over the network.\n\nCriteria:\n\nDOJ Order 2640.2D requires that each component shall evaluate their IT\nsecurity programs and system protection mechanisms and report\ndeficiencies to the Chief Information Officer annually.\n\nRisk:\n\nWithout in-place controls operating as intended, ITS II is vulnerable to\nsecurity breaches that could lead to a denial of service or a full compromise\nof the system.\n\nRecommendation:\n\n   3. We recommend that the BOP Director ensure that BOP management\n      update operating controls as outlined in the June 2002 ST&E report,\n      and complete the "Conditions of Certification" outlined in the ITS II\n      certification statement.\n\nIssue: Rules of Behavior\n\nCondition:\n\nThe BOP developed Rules of Behavior (BOP Directive 1237-12) that BOP\napproved to provide guidance on how to use BOP systems. BOP staff signed\nthe Rules of Behavior; however, the ITS II contractor personnel have not.\nTherefore, contractor personnel are not necessarily aware of the BOP\xe2\x80\x99s\nprocedures and guidelines for administering and operating ITS II.\n\nCause:\n\nBOP management did not follow Department procedures requiring\ncontractor\xe2\x80\x99s acknowledgement of the Rules of Behavior document.\n\nCriteria:\n\nNIST SP 800-18, A Guide For Developing Private Security Plans For\nInformation Technology, states that a set of Rules of Behavior must be\nestablished for each system and should be made available to every user\n\n\n\n\n                                     -7-\n\x0cprior to receiving authorization for access to the system. It is recommended\nthat the rules contain a signature page for each user to acknowledge receipt.\n\nRisk:\n\nContractor personnel not signing the Rules of Behavior document could have\nseveral negative effects. For example, users could potentially find\nthemselves in a situation where they are unsure of how to act given the\ncircumstances and could choose an action that goes against the BOP policy.\nAdditionally, the BOP could be unable to hold contractors and vendors\naccountable for their actions should they affect the BOP or ITS II negatively.\n\nRecommendation:\n\n  4. We recommend that the BOP Director ensure that BOP management\n     requires all users, including vendor and contractor personnel, to read\n     and sign the Rules of Behavior document (BOP Directive 1237-12) to\n     ensure users are aware of its contents.\n\nC. System Security Plan. A system security plan provides an overview of\n   the security requirements of the system and describes the controls in\n   place or planned for meeting those requirements. The plan delineates\n   responsibilities and expected behavior for all individuals who access the\n   system.\n\nIssue: Security Plan\n\nCondition:\n\nWhile the BOP has developed a system security plan for ITS II, BOP did not\naddress critical elements. For example, the BOP has not incorporated all\naspects of NIST SP 800-18, into the security plan. In addition, the plan for\nITS II was not incorporated into the BOP\'s overall strategic information\nresources management (IRM) plan.\n\nCause:\n\nThe current system security plan was developed by the main ITS II\ncontractor, and was based on the contractor\xe2\x80\x99s standards, not those of the\nBOP or the Department.\n\n\n\n\n                                     -8-\n\x0cCriteria:\n\nDOJ Order 2640.2D Section 5 states:\n\xe2\x80\x9cComponents shall ensure the certification and accreditation of all systems\nunder their operational control.\n     c. For each classified and sensitive but unclassified (SBU) system the\n        certification official shall:\n            (1) Ensure a system security plan is prepared and maintained\n                 throughout the system life cycle.\n            (2) Ensure a system test and evaluation is conducted and the\n                 results of such tests are documented.\xe2\x80\x9d\n\nRisk:\n\nWithout incorporating NIST SP 800-18 standards into the security plan and\nnot incorporating the security plan into the BOP\'s overall strategic plan could\nresult in aspects of the security plan being incomplete or not in accordance\nwith overall BOP security guidelines. This could lead to a less secure system\noverall.\n\nRecommendation:\n\n  5. We recommend that the BOP Director ensure that BOP management\n     incorporate the guidelines for developing security plans outlined in\n     NIST SP 800-18 into the current ITS II security plan and incorporate\n     the plan into the overall IRM strategic plan for the BOP.\n\nII.     Operational Controls. Operational controls address security controls\n        that are implemented and executed by people. These controls are put\n        in place to improve the security of a particular system. They often\n        require technical or specialized expertise and rely upon management\n        activities as well as technical controls.\n\n                                                          Vulnerabilities\n                  Operational Controls\n                                                              Noted\n            Personnel Security                                   \xe2\x88\x9a\n            Physical and Environmental Protection                \xe2\x88\x9a\n            Production, Input/Output Controls                    \xe2\x88\x9a\n            Contingency Planning                                 \xe2\x88\x9a\n            Hardware and Systems Software Maintenance            \xe2\x88\x9a\n            Data Integrity                                       \xe2\x88\x9a\n            Documentation\n            Security Awareness, Training, and Education\n            Incident Response Capability                         \xe2\x88\x9a\n\n\n\n\n                                           -9-\n\x0c       Our testing confirmed that operational controls were adequate within\nthe areas of documentation and security awareness, training, and education\nfor ITS II. However, our testing also identified vulnerabilities within other\ncritical areas of operational controls. The specific details identifying these\nvulnerabilities are listed below.\n\nA. Personnel Security. Personnel security involves the use of computer\n   systems by human users, designers, implementers, and managers. A\n   broad range of security issues relates to how these individuals interact\n   with computers and the access and authorities they need to do their\n   jobs.\n\nIssue: Segregation of Duties\n\nCondition:\n\nCurrently, the BOP system administration and system security\nresponsibilities are not adequately separated to ensure least privilege and\nindividual accountability. In addition, different individuals do not always\nperform distinct systems support functions.\n\nCause:\n\nAccording to BOP personnel, due to staff constraints, system maintenance,\nuser maintenance, and security and network administration activities all fall\nunder one person for the BOP and one person for the contractor. In\naddition, staffing constraints have resulted in one person acting as both a\nmaintenance manager and a researcher and developer.\n\nCriteria:\n\nDOJ Order 2640.2D, Chapter 2, Section 23 (a) and (c), states: \xe2\x80\x9cDepartment\nIT systems shall have assignment and segregation of system responsibilities\ndefined and documented\xe2\x80\xa6. At a minimum, there shall be a clearly defined\nrole for a security administrator and a system administrator.\xe2\x80\x9d Additionally,\n\xe2\x80\x9cControls [compliant with Department access control policies] shall be in\nplace to ensure that the user [and administrators] has access to only the\nresources required to accomplish their duties and no more.\xe2\x80\x9d\n\nRisk:\n\nTasking the same individuals to be responsible for development, system\nadministration, and security administration could potentially allow an\nindividual to commit fraudulent activity and "cover-up" his/her tracks\nwithout the BOP detecting the activity. In addition, individuals could\n\n\n\n                                     -10-\n\x0cpotentially implement "backdoors" that would allow access once the\nindividual has left the BOP.\n\nRecommendation:\n\n  6. We recommend that the BOP Director ensure that BOP management:\n\n            a. conduct an analysis on the current staff shortages by\n               determining the current security and system administrator\n               skills on the BOP team and determine what skills the BOP\n               needs to close the "gap." If additional staff is required, hire\n               additional personnel who are trained and experienced security\n               and/or system administrators;\n\n            b. ensure that those individuals who currently function as both\n               security administrators and system administrators are moved\n               to positions where these responsibilities do not conflict; and\n\n            c. ensure that developers are not tasked with either system or\n               security administration.\n\nIssue: Hiring, Transfer, and Termination Documentation\n\nCondition:\n\nNot all BOP ITS II security staff and contractor personnel are aware of the\nBOP\xe2\x80\x99s user account maintenance policy, which provides procedures for how\nto handle ITS II user accounts when employees are hired, transferred or\nterminated.\n\nCause:\n\nAccording to the BOP security staff, the policy had not been communicated\nto them or ITS II contractor personnel.\n\nCriteria:\n\nBOP Directive 1237-11, states: \xe2\x80\x9cUsers shall be trained in protection of\ncomputer hardware, software, and information. This includes all persons\nemployed by or working with the Department of Justice receiving direct or\nindirect compensation or none at all (Public Health Service staff, contractors,\nvolunteers, interns, persons representing or detailed from other Government\nagencies, etc.). They shall be made thoroughly aware of security and\ncontingency plans for systems they use.\xe2\x80\x9d\n\n\n\n\n                                     -11-\n\x0cRisk:\n\nWithout the awareness of the documented procedures for user account\nmaintenance, accounts may be added to the ITS II without authorized\napproval and accounts of employees that have transferred or been\nterminated may not be removed in a timely manner.\n\nRecommendation:\n\n        7. We recommend that the BOP Director ensure that BOP\n           management:\n\n             a. distribute the BOP\xe2\x80\x99s documented procedures on how to\n                maintain BOP ITS II user accounts to ITS II security staff and\n                contractor personnel; and\n\n             b. enforce procedures in accordance with the BOP Directive\n                1237.11 and Department policy.\n\nB. Physical and Environmental Protection. Physical security and\n   environmental security are the measures taken to protect systems,\n   buildings, and related supporting infrastructures against threats\n   associated with their physical environment.\n\nIssue: Physical Access\n\nCondition:\n\nThe BOP does not have adequate physical security controls in place for\nITS II. The ST&E report identified physical security weaknesses relating to\n13 areas under NIST SP 800-26, which are being used for this GISRA\nreview. These deficiencies included weaknesses in areas such as physical\naccess to ITS II systems (routers, switches, and wiring closets),\ndocumentation of employee access to sensitive areas, reporting of suspicious\nactivities, unauthorized viewing of computer monitors, and fire suppression\nand prevention.\n\nCause:\n\nThe BOP security management has not taken all appropriate steps to meet\nthe Department and BOP requirements for physical security.\n\n\n\n\n                                     -12-\n\x0cCriteria:\n\nDOJ Order 2640.2D, states: "Department IT systems shall be physically\nprotected commensurate with the highest classification or sensitivity of the\ninformation." In addition, BOP Directive 1237-11 Section 5 also outlines\nrequirements for physical security.\n\nRisk:\n\nWithout adequate physical security controls, unauthorized physical access to\nITS II can be obtained and damage can be done to the systems. In\naddition, the systems may not be properly protected from disaster events\nsuch as fires and floods.\n\nRecommendation:\n\n        8. We recommend that the BOP Director ensure that BOP\n           management implement all of the recommendations outlined in the\n           June 2002 ST&E report, specifically those outlined in section 4.12.\n\nC. Production, Input/Output Controls. There are many aspects to\n   supporting IT operations. Topics range from user help desk to\n   procedures for storing handling and destroying media.\n\nIssue: Sensitive Media\n\nCondition:\n\nTo date, the BOP did not develop documented procedures for handling\nsensitive media. No formal process has been established to ensure that only\nauthorized individuals can pick up, receive, or deliver input and output\ninformation and media. In addition, no documented process has been\nestablished to ensure adequate audit trails are used and maintained for\ninventory management, and labeling of sensitive media.\n\nCause:\n\nAccording to BOP, an inadequate number of trained security personnel are\non the ITS II security team to handle the associated responsibilities for\ndeveloping the formal policies and procedure for handling sensitive media\nand perform the daily tasks required to maintain a secure computing\nenvironment.\n\n\n\n\n                                      -13-\n\x0cCriteria:\n\nBOP Directive 1237.11, states: \xe2\x80\x9cBe responsible for security of individual and\nshared office space containing computers, sensitive printouts, and electronic\nstorage devices/media\xe2\x80\xa6. Take reasonable precautions to avoid loss of or\ndamage to Government property and information.\xe2\x80\x9d\n\nDOJ Order 2640.2D Chapter 2 Section 19, states: \xe2\x80\x9cDepartment IT systems\nshall: maintain an audit trail of activity sufficient to reconstruct security\nrelevant events.\xe2\x80\x9d\n\nRisk:\n\nWithout these procedures in place, unauthorized individuals could potentially\ngain access to sensitive BOP data. The lack of adequate audit trails for\ninventory management could also allow someone with access to the BOP\nhardware and software to either accidentally or intentionally misplace\nsystem components. In addition, contractor staff may not be made aware of\nthe BOP\xe2\x80\x99s procedures for handling sensitive media once they have been\ncreated.\n\nRecommendation:\n\n        9. We recommend that the BOP Director ensure that BOP\n           management document a process to control the transfer of media\n           and BOP data. In addition, the BOP management should ensure\n           that audit trails are kept and retained for extended periods of time,\n           capturing relevant information such as name, date, media\n           description, and authorization.\n\nD. Contingency Planning. Contingency planning can ensure continued\n   operations by minimizing the risk of events that could disrupt normal\n   operations and having an approach in place to respond to those events\n   should they occur.\n\nIssue: Contingency Plan Implementation\n\nCondition:\n\nThe current BOP contingency plan has not been distributed to all ITS II\npersonnel. In addition, the current contingency plan for ITS II is not\nperiodically tested and ITS II staff have not been trained in their roles and\nresponsibilities concerning the contingency plan.\n\n\n\n\n                                       -14-\n\x0cCause:\n\nThe BOP ITS II management have not distributed the contingency plan to\nappropriate BOP personnel. The BOP management does not know if the plan\nhas been distributed to the vendor\'s (Dyncorp) personnel.\n\nCriteria:\n\nBOP Directive 1237-11, states: \xe2\x80\x9cUsers shall be trained in protection of\ncomputer hardware, software, and information\xe2\x80\xa6. They shall be made\nthoroughly aware of security and contingency plans for systems they use.\xe2\x80\x9d\n\nDOJ Order 2640.2D Chapter 1 Section 9, states: \xe2\x80\x9cComponents shall plan for\nhow they will perform their missions in the event their IT systems are\nunavailable and how they will recover these IT systems in the event of loss\nor failure. Components shall:\xe2\x80\xa6. Test contingency/business resumption\nplans annually or as soon as possible after a significant change to the\nenvironment that would alter the in-place assessed risk.\xe2\x80\x9d\n\nRisk:\n\nBy not properly distributing the contingency plan, the BOP\xe2\x80\x99s security staff\nmay not be fully informed with the plan\xe2\x80\x99s details, and contractor staff may\nnot be aware of the appropriate steps to take should a system recovery\nbecome necessary. Not testing the plan could allow deficiencies or\nweaknesses in the plan to go unnoticed for correction until an actual\nemergency situation. This also leaves the BOP personnel unfamiliar with the\nsteps to take in the event of a disaster and unaware of who is responsible\nfor completing each step as outlined in the plan.\n\nRecommendation:\n\n  10. We recommend that the BOP Director ensure that BOP management:\n\n            a.   distribute the contingency plan to appropriate individuals,\n                 including contractor staff; and\n\n            b.   periodically test the Contingency plan and their employees\n                 and contractor staff in their roles and responsibilities.\n\n\n\n\n                                    -15-\n\x0cE. Hardware and Systems Software Maintenance. Hardware and\n   systems software maintenance controls are used to monitor and provide\n   a historical record of installations and upgrades.\n\nIssue: Security Configuration\n\nCondition:\n\nThe ITS II operating systems were not properly configured to prevent\ncircumvention of the security software and application controls. We\nobserved weak passwords on ITS II (Windows NT administrator level\naccounts with passwords set to the account name and administrator level\naccounts without passwords), and numerous vulnerabilities were identified\nby the contractor in its ST&E report. We also identified numerous\nvulnerabilities in ITS II diagnostic reviews. In addition, the default settings\nof security features for ITS II are not as restrictive as possible (Windows NT\nsystems allowed enumeration of users, file permissions were not restrictive,\nand Simple Network Management Protocol (SNMP) community strings were\nweak).\n\nCause:\n\nThese conditions exist due to the lack of a formal configuration standard for\nthe ITS II system.\n\nCriteria:\n\nDOJ 2640.2D CHAPTER 2 Section 16, states: \xe2\x80\x9cAccess controls shall be in\nplace and operational for all Department IT systems to:.\xe2\x80\xa6 Protect the\nsystem, its data and applications, from unauthorized disclosure,\nmodification, or erasure."\n\nRisk:\n\nWithout properly configured security settings on operating systems,\nattackers can compromise the ITS II.\n\nRecommendation:\n\n   11. We recommend that the BOP Director ensure that BOP management\n       develop a configuration standard for all systems that incorporate the\n       most restrictive security settings possible. In addition, the BOP\n       should implement all the recommendations outlined in the ST&E\n       report.\n\n\n\n\n                                     -16-\n\x0cF. Data Integrity. Data integrity controls are used to protect data from\n   accidental or malicious alteration or destruction and to provide assurance\n   to the user that the information meets expectations about its quality and\n   integrity.\n\nIssue: Integrity and Validation Controls\n\nCondition:\n\nCurrently, the integrity and validation controls for the ITS II are not\nadequate. No Intrusion Detection System (IDS) has been installed on ITS II\nand no integrity verification programs are being used.\n\nCause:\n\nThe BOP does not have policy on the use of an IDS and integrity verification\nprograms. Additionally, the BOP lacks policy on system penetration testing.\n\nCriteria:\n\nDOJ Order 2640.2D Chapter 2 Section 16, states: \xe2\x80\x9cAccess controls shall be\nin place and operational for all Department IT systems to:.\xe2\x80\xa6 Protect the\nsystem, its data and applications, from unauthorized disclosure,\nmodification, or erasure."\n\nRisk:\n\nThe lack of these controls creates an inability to ensure data integrity and to\nvalidate data. This could potentially cause BOP to be vulnerable to\nunauthorized data modifications. The lack of an IDS also leaves\nadministrators without the benefit of advanced notice of unusual network or\nsystem activity. Without the warning an IDS can provide, it is more difficult\nto respond effectively to suspicious activity.\n\nRecommendation:\n\n   12. We recommend that the BOP Director ensure that BOP management\n       develop policies and procedures surrounding the use of intrusion\n       detection software and integrity validation software and implement\n       these policies and procedures on critical servers.\n\n\n\n\n                                     -17-\n\x0cG. Incident Response Capability. Computer security incidents are an\n   adverse event in a computer system or network. Such incidents are\n   becoming more common and their impact is far-reaching.\n\nIssue: Incident Handling\n\nCondition:\n\nIn reviewing ITS II, we found the BOP\'s response, handling, and support\nprocedures for security incidents are not adequate. BOP does not have a\nformal incident response capability implemented and information concerning\nincidents does not appear to be disseminated to appropriate personnel or\norganizations.\n\nCause:\n\nThe BOP does not have a policy addressing incident handling and response,\nor that addresses how personnel shall be trained to respond.\n\nCriteria:\n\nDOJ Order 2640.2D Chapter 1 Section 5, states: \xe2\x80\x9cFor SBU systems, security\nincidents that meet the criteria established by the DOJ Computer Emergency\nResponse Team (DOJCERT) shall be reported by the component to DOJCERT\nwithin time frames established by DOJCERT. For classified systems, the\ncomponent shall immediately report to the Department Security Officer\n(DSO) any incident involving the loss, compromise, or other event affecting\nthe security of a classified system.\xe2\x80\x9d\n\nRisk:\n\nIncidents that the BOP may encounter run the risk of not being properly\nhandled. The correct or appropriate resolution may not be reached and\nresponsible individuals may not be informed of the incident. Also, by not\nsharing incident information with other organizations, a common attack or\nvirus outbreak with a known resolution will not be as easily solved for BOP or\nother affected organizations.\n\nRecommendation:\n\n   13. We recommend that the BOP Director ensure that BOP management\n       develop a policy for incident handling, response, and personnel\n       support.\n\n\n\n\n                                    -18-\n\x0cIII. Technical Controls. Technical controls focus on security controls that\n     the computer system executes and depend upon the proper\n     functioning of the system to be effective. Technical controls require\n     significant operational considerations and should be consistent with the\n     management of security within the organization.\n\n                                                                             Vulnerabilities\n                      Technical Controls\n                                                                                    Noted\n          Identification and Authentication                                             \xe2\x88\x9a*\n          Logical Access Controls                                                       \xe2\x88\x9a*\n          Audit Trails                                                                  \xe2\x88\x9a\n\n   \xe2\x88\x9a* Significant vulnerabilities in which risk was noted as high. A high-risk vulnerability is defined as one\n      where extremely grave circumstances can occur by allowing a remote or local attacker to violate the\n      security protection of a system through user or root account access, gaining complete control of a system\n      and compromising critical information.\n\n\nA. Identification and Authentication. Identification and authentication\n   are technical measures that prevent unauthorized people or processes\n   from entering an IT system. Identification, most commonly used for\n   access control, is the means in which users claim their identities to a\n   system. Authentication is verification that a person\xe2\x80\x99s claimed identity is\n   valid and is usually implemented through the use of passwords.\n\nIssue: Password Management\n\n      A password is a unique string of characters that must be provided\nbefore a logon or access is authorized to a computer system. Passwords are\nsecurity measures used to restrict logons to user accounts and access to\ncomputer systems and resources. The BOP password controls were found to\nbe inadequate.\n\nCondition:\n\n      \xe2\x80\xa2   The password policy on the BOPCOF server allows blank passwords.\n\n      \xe2\x80\xa2   The minimum password age policy is set too low allowing password\n          changes too soon on both BOPCOF and BOPCO1 servers.\n\n      \xe2\x80\xa2   The password history is set to less than 10 on both BOPCOF and\n          BOPCO1 servers.\n\n      \xe2\x80\xa2   The service pack enhancement Passfilt is not being used on the\n          BOPCOF server.\n\n\n\n\n                                                   -19-\n\x0c        \xe2\x80\xa2   The resource kit utility, \'passprop\', is not being utilized on both\n            BOPCOF and BOPCO1 servers.\n\n        \xe2\x80\xa2   The account lockout feature is not adequately set on BOPCOF and\n            BOPCO1 servers.\n\n        \xe2\x80\xa2   The Administrator account password is blank on the BOPCOF\n            server.\n\n        \xe2\x80\xa2   Nineteen users have the "password never expires" setting on the\n            BOPCO1 server and two users have this setting on the BOPCOF\n            server.\n\n        \xe2\x80\xa2   The PASSLENGTH variable is set to six characters on the BOP UNIX\n            server.\n\n        \xe2\x80\xa2   The MAXWEEKS variable is set to 0 weeks.\n\n        \xe2\x80\xa2   An EEPROM password has not been set.\n\nCause:\n\nThese vulnerabilities occurred because BOP management did not enforce\ncompliance with Department password policies and procedures.\n\nCriteria:\n\nDOJ Order 2640.2D requires the Department\xe2\x80\x99s IT systems to implement\neight-character password composed of at least three of the following:\nEnglish uppercase, English lower case, numeric, and special characters. In\naddition, the Department\xe2\x80\x99s IT systems should comply with Department\npassword management policy (DOJ-TS-001).\n\nRisk:\n\nWithout strong password management controls, the BOP increases the risk\nthat unauthorized persons could access sensitive ITS II resources, exposing\ninformation to unauthorized use, loss, or modification.\n\nRecommendation:\n\n  14. We recommend that the BOP Director ensure that BOP management\n      enforce formal Department password policies and procedures and\n      install and activate a password filter on all servers to enforce\n      parameters that enforce restrictions on passwords.\n\n\n\n                                         -20-\n\x0cB. Logical Access Control. Logical access controls are the system-based\n   mechanisms used to designate who or what is to have access to a\n   specific system resource and the type of transactions and functions that\n   are permitted.\n\nIssue: Access Controls\n\nCondition:\n\nWe found logical access controls were inadequate for restricting user\nactivities and network access. On the network, insecure protocols are being\nused with the router, no formal procedures exist for changing vendor-\nsupplied default security parameters, idle sessions are not disconnected, and\nno formal policy or procedures exist for firewalls.\n\nCause:\n\nThe BOP management did not develop documented policy and procedures\ndictating the implementation and use of access control software for the\nprevention of fraudulent activity.\n\nCriteria:\n\nDOJ Order 2640.2D Chapter 2 Section 16, states: \xe2\x80\x9cAccess controls shall be\nin place and operational for all Department IT systems to:.\xe2\x80\xa6 Protect the\nsystem, its data and applications, from unauthorized disclosure,\nmodification, or erasure."\n\nRisk:\n\nWithout access controls in place, BOP management is unable to prevent an\nindividual from committing fraud.\n\nRecommendation:\n\n  15. We recommend that the BOP Director ensure that BOP management\n      develop, implement, and monitor documented policy establishing\n      specific security standards and settings for access controls. At a\n      minimum, these standards and settings should:\n\n            a. Establish policy and procedures for disabling insecure protocols.\n\n            b. Establish policy dictating the reset of vendor default security\n               parameters to more secure settings.\n\n\n\n                                       -21-\n\x0c            c. Configure network connections to automatically disconnect.\n\n            d. Establish standard firewall procedures for configuring the\n               firewall.\n\n            e. Restrict access to tables defining network options, resources,\n               and operator profiles.\n\nIssue: User Authentication and Access\n\nCondition:\n\nUser authentication and access is not properly controlled on the ITS II\nnetwork. Specifically:\n\n   \xe2\x80\xa2   Access scripts with embedded passwords are not prohibited.\n\n   \xe2\x80\xa2   Service and administrator accounts have weak passwords.\n\n   \xe2\x80\xa2   Inactive user accounts are not disabled after a specific period of time.\n\n   \xe2\x80\xa2   Lost or compromised passwords are handled inappropriately.\n\n   \xe2\x80\xa2   No formal procedures for replacing vendor-supplied passwords.\n\n   \xe2\x80\xa2   Data owners do not periodically review access authorizations to\n       determine whether they remain appropriate.\n\nCause:\n\nThe ITS II management did not have documented procedures for monitoring\naccess scripts with embedded passwords, disabling inactive user accounts,\nhandling lost or compromised passwords, replacing vendor-supplied\npasswords, service and administrator accounts with weak passwords, and\ndata owners ability to review access authorizations so that only individuals\nwith a need to know can access files.\n\nCriteria:\n\nDOJ Order 2640.2D Chapter 2 Section 16, states: \xe2\x80\x9cAccess controls shall be\nin place and operational for all Department IT systems to: \xe2\x80\xa6 Protect the\nsystem, its data and applications, from unauthorized disclosure,\nmodification, or erasure."\n\n\n\n\n                                      -22-\n\x0cRisk:\n\nWithout periodic review of access permissions, it is possible that individuals\nwithout a legitimate need may gain access to sensitive information.\n\nRecommendation:\n\n   16. We recommend that the BOP Director ensure that BOP management\n       develop, implement, and monitor documented policy establishing\n       specific security standards and settings for user authentication and\n       access. At a minimum, these standards and settings should:\n\n             a. Prohibit the use of access scripts with embedded passwords.\n\n             b. Require data owners to review access authorizations to\n                determine whether they remain appropriate.\n\nIssue: Server Configuration\n\nCondition:\n\n   \xe2\x80\xa2    The system key (SYSKEY) on the Windows NT servers was disabled.\n        Enabling this option decreases the risk that password hashes will be\n        cracked if obtained. A utility has been released that can extract the\n        Windows NT password hashes even with SYSKEY enabled; therefore,\n        this risk is only partially mitigated.\n\n   \xe2\x80\xa2    Fifteen of the services on BOPCO1 and nine of the services on BOPCOF\n        are running in an insecure context. If services running as LocalSystem\n        are allowed to interact with the desktop, there is an increased risk that\n        domain resources may be compromised by a locally logged on user\n        who would have system access to server resources. If the service is\n        compromised by an unauthorized user, they would be able to access\n        any resources available to the user account under which it is running.\n\n   \xe2\x80\xa2    BOPCO1 is running the spooler service, which for a Primary Domain\n        Controller (PDC) is an unnecessary service. Both BOPCOF and\n        BOPCO1 are running the \xe2\x80\x9cmessenger\xe2\x80\x9d and \xe2\x80\x9calerter\xe2\x80\x9d services. Running\n        unnecessary applications, services or protocols opens the server to any\n        vulnerabilities that exist within each one.\n\n   \xe2\x80\xa2    For UNIX, the BOPNNM server is running nine extraneous services.\n\n   \xe2\x80\xa2    On the Cisco router, finger and Cisco discovery protocol are running.\n\n\n\n\n                                       -23-\n\x0cCause:\n\nThe BOP management did not develop documented procedures regarding the\nimplementation of the system key utility. In addition, services such as\nLocalSystem, in "interactive" mode, and "spooler" are running on the server.\n\nCriteria:\n\nDOJ Order 2640.2D Chapter 2 Section 16, states: \xe2\x80\x9cAccess controls shall be\nin place and operational for all Department IT systems to:\xe2\x80\xa6. Protect the\nsystem, its data and applications, from unauthorized disclosure,\nmodification, or erasure.\xe2\x80\x9d\n\nNIST Interagency Reports (NISTIR) 5153 Section 3.2.2, states: "Each\nresource delivered with the system shall have the most restrictive access\nrights possible to permit the intended use of that resource."\n\nRisk:\n\nThese services pose a risk to the system in that many are known to either\npresent system users\xe2\x80\x99 information or have known vulnerabilities.\n\nRecommendation:\n\n   17. We recommend that the BOP Director ensure that BOP management:\n\n          a. implement the system key utility and restrict services so that\n             they are running in a secure context; and\n\n          b. ensure the removal of all unnecessary services.\n\nIssue: Networking Controls\n\nNetworking controls access the system from the network. These controls\nare a front-line defense for the system against intruders.\n\nCondition:\n\nSpecifically, we found:\n\n   \xe2\x80\xa2    Of the two Windows NT servers tested, the auditors discovered both\n        BOPCO1 and BOPCOF allow users to login with cached login\n        information. This means the user name information of the last user is\n        already provided at the login prompt. With this information provided,\n\n\n\n\n                                      -24-\n\x0c        an attacker already has 50 percent of the login information required to\n        gain access to the system.\n\n  \xe2\x80\xa2     Routing updates sent by a router may advertise internal network\n        topologies to groups or third parties that may be untrusted. In\n        addition, interfaces that routinely advertise routing information may\n        impede network efficiency, especially if neighboring routers are using\n        other routing protocols or using static routes.\n\nCause:\n\nThe BOP management did not develop documented procedures for\nnetworking controls.\n\nCriteria:\n\nDOJ Order 2640.2D Chapter 2 Section 16, states: \xe2\x80\x9cAccess controls shall be\nin place and operational for all Department IT systems to:.\xe2\x80\xa6 Protect the\nsystem, its data and applications, from unauthorized disclosure,\nmodification, or erasure."\n\nRisk:\n\nWithout formal networking control procedures, ITS II user logon information\nis vulnerable in the event of an unauthorized user gaining access to the\nsystem.\n\nRecommendation:\n\n  18. We recommend that the BOP Director ensure that BOP management\n      develop, implement, and monitor documented policy establishing\n      specific security standards and settings for networking controls. At a\n      minimum, these standards and settings should include:\n\n             a. The registry key on Windows NT servers,\n                HKLM\\Software\\Microsoft\\WindowsNT\\CurrentVersion\n                \\Winlogon\\CachedLogonsCount, should be set to 0.\n\n             b. The command on routers in global configuration mode:\n                Passive-interface type number where \xe2\x80\x9ctype\xe2\x80\x9d refers to the\n                interface type and \xe2\x80\x9cnumber\xe2\x80\x9d is the interface number.\n\n\n\n\n                                      -25-\n\x0cIssue: User and Group Management Controls\n\nManagement of users and groups is key to controlling access to the system.\nProper user and group management can help to enhance overall system\nsecurity.\n\nCondition:\n\nSpecifically, we found:\n\n   \xe2\x80\xa2   Accounts that have not been logged into for an extended period of\n       time have not been disabled on both BOPCOF and BOPCO1. Having\n       outstanding accounts that are no longer needed increases the risk of\n       unauthorized access.\n\n   \xe2\x80\xa2   The default administrator accounts need to be renamed and given\n       strong passwords on BOPCOF and BOPCO1. The \'Administrator\'\n       accounts are known to exist on all Windows NT systems.\n       Consequently, they are among the first accounts that an intruder will\n       attempt to use. The \'Administrator\' account on Windows NT has all\n       system rights and therefore should be the most protected account on\n       the system. If these accounts are not renamed, an attacker would\n       only need to guess the password. Depending on other system\n       settings, this might be easy to achieve in a relatively short period of\n       time without being detected.\n\n   \xe2\x80\xa2   The BOPCOF\\Domain Users group is a member of the Local\n       Administrators group. The resulting effect is Domain users, which are\n       members of the local administrators group, have administrator access\n       to the server.\n\n   \xe2\x80\xa2   The special group \xe2\x80\x9cEveryone\xe2\x80\x9d is being used on the BOPCOF and\n       BOPCO1 servers. Access control lists for files and directories include\n       the \xe2\x80\x9cEveryone\xe2\x80\x9d group on BOPCOF. The special group \xe2\x80\x9cEveryone\xe2\x80\x9d is\n       anyone, to includes domain users, null session connections, and other\n       trusted domain users. Using the special group \xe2\x80\x9cEveryone\xe2\x80\x9d is very\n       broad and could inadvertently allow an intruder to gain access to\n       system resources.\n\n   \xe2\x80\xa2   An FTP users file (/etc/ftpusers) has not been created to restrict FTP\n       access to authorized users.\n\n\n\n\n                                      -26-\n\x0cCause:\n\nThe ITS II management lack procedures for renaming the administrator and\nguest accounts and assigning strong passwords. In addition, account\nactivity is not being reviewed on a regular basis.\n\nCriteria:\n\nNISTIR 5153 Section 3.2.2, states: "Each resource delivered with the system\nshall have the most restrictive access rights possible to permit the intended\nuse of that resource."\n\nDOJ Order 2640.2D Chapter 2 Section 16, states: \xe2\x80\x9cAccess controls shall be\nin place and operational for all Department IT systems to: \xe2\x80\xa6 Protect the\nsystem, its data and applications, from unauthorized disclosure,\nmodification, or erasure."\n\nFederal Bureau of Prisons (FBOP) 1237.11, Information Security Programs,\nSection 6, Paragraph b, regarding Movement of Personnel, states: \xe2\x80\x9cA new\nuser ID shall be issued at a staff member\'s new duty station. The ISO at the\ntransferring location shall disable the old user ID within one working day of\nthe employee\'s departure and delete the ID within 30 days. For a SENTRY\nID that cannot be created at the new duty station, use procedures\nprescribed in c.(3), following. On the UNICOR MCS system, the old user ID\nshall be permanently disabled, rather than deleted. For all involuntary\nseparations and home duty assignments, the departing employee\'s access to\nall computer systems shall be immediately disabled and his/her supervisor\nor the ISO shall confiscate accessible media. For routine voluntary\npermanent separations, the employee\'s access shall be terminated no later\nthan one working day following departure.\xe2\x80\x9d\n\nRisk:\n\nWithout the existence of the /etc/ftpusers file, any user listed in the\n/etc/passwd file can transfer files across the network. This increases the risk\nthat unauthorized files are transferred across the network. In addition, the\n\'Administrator\' account is known to exist on all Windows NT systems.\nConsequently, it is among the first accounts that an intruder will attempt to\nuse. The \'Administrator\' account on Windows NT has all system rights and\ntherefore should be the most protected account on the system. If the\naccount is not renamed, an attacker would only have to guess the password.\nDepending on other system settings, this might be easy to achieve in a\nrelatively short period of time without being detected.\n\n\n\n\n                                     -27-\n\x0cRecommendation:\n\n   19. We recommend that the BOP Director ensure that BOP management\n       develop, implement, and monitor documented policy establishing\n       specific security standards and settings for user and group\n       management controls. At a minimum, these standards and settings\n       should include:\n\n           a. Review user account activity and disable or remove accounts\n              that have been inactive for an extended period of time or are\n              no longer needed.\n\n           b. Develop procedures for renaming the Administrator accounts\n              and assigning strong passwords that are a minimum of eight\n              characters and contain alphanumeric and special characters.\n\n           c. Remove domain users from the local administrator group.\n\n           d. Replace references to the special group \'Everyone\' with\n              \'Domain users\', \'Authenticated Users\' or Domain application\n              groups.\n\n           e. Create the /etc/ftpusers file.\n\nIssue: Account Integrity Management\n\nA system administrator manages user and account rights to ensure that\naccount information conforms to system security policy. A system of user\nrights and advanced user rights control account integrity. User rights define\nwhat a user can do on the system. These rights may include the right to\nlogon directly at a computer (local logon) or the right to logon to a computer\nover the network (remote logon). Advanced user rights are reserved for\nusers involved in programming efforts.\n\nTypically, administrators can create two types of accounts\xe2\x80\x94user and group\naccounts. A user account belongs to one person only; rights assigned affect\nonly that account. A group account is a collection of users with common\nrights. In addition, to maintain account integrity, users must be clearly\nidentified on the system in order to track their use of system resources.\nAccount integrity is also strengthened by renaming Administrator and Guest\naccounts to make them unidentifiable to unauthorized users and making\nsure that users can be clearly identified in order to track their use of system\nresources.\n\n\n\n\n                                     -28-\n\x0cCondition:\n\nSpecifically, we found:\n\n   \xe2\x80\xa2   Unauthenticated users can access this computer from the network.\n       Lack of a standard user rights assignment policy for Windows NT users\n       allows the \\Everyone group to access this computer from the network.\n       The special \\Everyone group includes unauthenticated users.\n\n   \xe2\x80\xa2   On BOPCOF the Local Administrators group has "Backup files and\n       Directories" right. There should be a segregation of duties between\n       administrators, users, and individuals who can backup files. Individuals\n       with this user right can bypass the access control list (ACL) of a file\n       and read any file. This is an issue because the domain users group is\n       also a member of the local administrators group.\n\n   \xe2\x80\xa2   The "Change the system time" standard user right is not restricted on\n       BOPCO1. Accuracy of the system time is a prerequisite for an audit\n       trail because knowing who was accessing resources at a specified time\n       could implicate a user. The entire audit, event monitoring, and logging\n       system is based on time and therefore, requires that time not be\n       tampered with. Security policies, such as those for account lockout\n       and expiration, are based on the system time.\n\n   \xe2\x80\xa2   The "Log on locally" standard user is not restricted on BOPCOF.\n       Although, a security control inherent in Windows NT is that the first\n       entry in the new log states that the old log was cleared and by whom.\n       Only authorized individuals, such as the Security Officer or the Internal\n       Auditor, should be given this right. Those types of individuals should\n       be members of an auditors group.\n\n   \xe2\x80\xa2   The "Restore file and directories" standard user right is not restricted.\n       There should be a segregation of duties between Administrators,\n       users, and individuals who can restore files. Individuals with this user\n       right can bypass the ACL of a file and read or write to any file on the\n       server.\n\n   \xe2\x80\xa2   The "Shut down the system" standard user right is not restricted on\n       both servers. Individuals who can shut down the Primary Domain\n       Controller (PDC) could cause a denial of service or degrade the\n       performance of the network performance subject to Backup Domain\n       Controller (BDC) configurations.\n\n   \xe2\x80\xa2   The "Take ownership of files or other objects" standard user right is\n       not restricted on BOPCOF. This is a very powerful user right because\n\n\n\n                                      -29-\n\x0c        individuals can ignore the ACL of an object, take ownership of the\n        object, and change the ACL.\n\n  \xe2\x80\xa2     The \'Act as Part of the Operating System\' advanced user right is not\n        restricted on BOPCO1. The right is one of the most powerful rights\n        within Windows NT. It allows the designated accounts to act as a\n        trusted part of the operating system and can therefore perform any\n        activity regardless of other rights.\n\n  \xe2\x80\xa2     The "Log on as a service" advanced user right is not restricted on both\n        servers. The \xe2\x80\x9cLog on as a Service\xe2\x80\x9d right allows a user to log on as a\n        service, similar to those required by virus scanners and faxing\n        software. These services run in the background without any\n        interaction from any additional users. Some services have full control\n        over the system and could be very powerful if configured in that\n        manner.\n\n  \xe2\x80\xa2     \xe2\x80\x9cIncrease scheduling priority" and "profile single process" advanced\n        user rights are assigned inappropriately on BOPCOF. These advanced\n        user rights could be used to compromise the PDC if they are granted\n        to the wrong individuals other than administrators. The advanced\n        rights are very powerful and do not need to be granted to normal\n        users.\n\nCause:\n\nThe BOP management did not develop a documented user rights assignment\npolicy.\n\nCriteria:\n\nDOJ Order 2640.2D Chapter 2 Section 16, states: \xe2\x80\x9cAccess controls shall be\nin place and operational for all Department IT systems to:\xe2\x80\xa6. Enable the use\nof resources such as data and programs necessary to fulfill job\nresponsibilities and no more."\n\nRisk:\n\nWithout policy and procedures in place for account integrity management,\nITS II is exposed to attacks from unauthenticated users.\n\n\n\n\n                                      -30-\n\x0cRecommendation:\n\n    20. We recommend that the Director of the BOP ensure that BOP\n        management develop, implement, and monitor documented policy\n        establishing specific security standards and settings for account\n        integrity management. At a minimum, these standards and settings\n        should include:\n\n             a. \xe2\x80\x9cLog on locally,\xe2\x80\x9d\n\n             b. \xe2\x80\x9cAccess this computer from the network,\xe2\x80\x9d\n\n             c. \xe2\x80\x9cRestore files and directories,\xe2\x80\x9d\n\n             d. \xe2\x80\x9cShut down the system,\xe2\x80\x9d\n\n             e. \xe2\x80\x9cTake ownership of files or other objects,\xe2\x80\x9d\n\n             f. \xe2\x80\x9cAct as part of the operating system,\xe2\x80\x9d\n\n             g. \xe2\x80\x9cLog on as a service,\xe2\x80\x9d and\n\n             h. \xe2\x80\x9cIncrease scheduling priority.\xe2\x80\x9d\n\nIssue: File System Access\n\nAccess to the file system can be controlled at the group or user level.\nInappropriate settings for file system access can leave sensitive system\ninformation vulnerable to unauthorized disclosure or modifications.\n\nCondition:\n\nSpecifically, we found:\n\n\xe2\x80\xa2   The \\Everyone group has access to directories containing applications or\n    sensitive files. The special group \'Everyone\' is anyone, to include domain\n    users, null session connections, and other trusted domain users. Using\n    the special group \'Everyone\' is very broad and could inadvertently allow\n    an intruder to gain access to system resources.\n\n\xe2\x80\xa2   Users without a legitimate business requirement have access to sensitive\n    system utilities in the \\winnt directory. If user accounts are granted\n    access to potentially sensitive utilities there is an increased risk that the\n    user may gain information that could be used to compromise the security\n\n\n\n\n                                       -31-\n\x0c    of the domain, or perform actions that may affect the security and\n    productivity of the domain.\n\n\xe2\x80\xa2   The BOPNNM server has an excessive number of world-writeable files and\n    directories. Files that are world-writeable allow any user on the system\n    the ability to modify or delete their contents. Improper permissions on\n    home directories could potentially allow a user to obtain the level of\n    access of another ID on the server. If the compromised ID is business-\n    critical, then this vulnerability is high-risk and could be exploited to gain\n    privileged access on the server.\n\n\xe2\x80\xa2   Network File System (NFS) shares are not adequately secured. Read,\n    write, and export to the world permissions exist on one of the directories.\n    NFS exported directories could potentially expose the NFS servers to\n    greater risk. It is possible to \xe2\x80\x9cmis-configure\xe2\x80\x9d the NFS export file and\n    potentially allow remote users from NFS clients to gain root access on the\n    NFS server.\n\nCause:\n\nThe BOP security management did not develop documented procedures for\nexporting and sharing users\' directories.\n\nCriteria:\n\nDOJ Order 2640.2D Chapter 2 Section 16, states: \xe2\x80\x9cAccess controls shall be\nin place and operational for all Department IT systems to:\xe2\x80\xa6. Protect the\nsystem, its data and applications, from unauthorized disclosure,\nmodification, or erasure."\n\nRisk:\n\nWithout ITS II procedures in place, NFS directories exported to everyone can\nbe mounted by any remote user without authentication. An attacker does\nnot need to actually break into a remote system. Instead, all that is\nnecessary is to mount a file system via NFS.\n\nRecommendation:\n\n    21. We recommend that the BOP Director ensure that BOP management\n        develop, implement, and monitor documented policy establishing\n        specific security standards and settings for file system access. At a\n        minimum, these standards and settings should:\n\n            a. Replace references to the special group \'Everyone\' with \'Domain\n               users\', \'Authenticated Users\', or Domain application groups.\n\n\n                                      -32-\n\x0c            b. Remove access to sensitive system utilities from accounts that\n               do not require access.\n\n            c. Review and remove unnecessary permissions on files and\n               directories.\n\n            d. Restrict access to the network file system shares.\n\nIssue: Maintenance Controls\n\nFor purposes of the operating system server review, maintenance controls\nrelate to standard user profiles and the use of password protected screen\nsavers and login warning banners.\n\nCondition:\n\n  \xe2\x80\xa2   On BOPCOF, a password protected screen saver is not being used.\n\n  \xe2\x80\xa2   The Unix server does not display a system warning message when\n      users log on the server.\n\nCause:\n\nThe BOP management currently is not following policy regarding password\nprotected screen savers and system warning banners.\n\nCriteria:\n\nFBOP 1237.11, 6.h.2 states: \xe2\x80\x9cAll personal computers designated as\nsensitive systems or "STAFF ONLY" shall have software that will, after a\nspecified period of keyboard inactivity, blank the display and require a\npassword for further access. The maximum time of inactivity shall be 10\nminutes. All Novell or Windows NT workstations shall use software requiring\nthe network password. This shall be adequate for a staff member to leave a\nworkstation unattended for a short period. The Bureau standard, related\nrequirements, and exceptions are stated in the previous subsection.\xe2\x80\x9d\n\nDOJ Order 2640.2D Chapter 2 Section 20, states: \xe2\x80\x9cAll Department IT\nsystems shall implement a system banner that provides warnings: to\nemployees that accessing the system constitutes consent to system\nmonitoring for law enforcement and other purposes; and to unauthorized\nusers that their use of the system may subject them to criminal prosecution\nand/or criminal or civil penalties.\xe2\x80\x9d\n\n\n\n\n                                      -33-\n\x0cRisk:\n\nBy not enabling the Windows NT screen saver with password protection, risk\nis increased that the server will be exposed to unauthorized access when left\nunattended. BOP\'s ability to prosecute criminals may be impacted by the\nBOP\'s ability to prove they abused BOP systems with the knowledge these\nsystems were supposed to be used only for official purposes. Also, it is a\ngood practice to proactively inform users that they are subject to audit.\n\nRecommendation:\n\n  22. We recommend that the Director of the BOP ensure that BOP\n      management develop, implement, and monitor documented policy\n      establishing specific security standards and settings for maintenance\n      controls. At a minimum, these standards and settings should:\n\n             a. Enable a password protected screen saver on the server.\n\n             b. Display a system-warning message when users log on the\n                server.\n\nIssue: NT Registry Settings\n\nA registry is a database used by the Windows NT operating to store\nconfiguration information. Most Windows applications write data to the\nregistry, at least during installation.\n\nCondition:\n\n  \xe2\x80\xa2     Users, besides administrators, can install print drivers.\n\n  \xe2\x80\xa2     The CD-ROM and floppy drives are accessible to users not logged on\n        locally.\n\n  \xe2\x80\xa2     Unauthenticated users can read the RunOnce registry key.\n\n  \xe2\x80\xa2     Unauthenticated users can read the PerfLib, WinLogon, and LSA\n        registry keys.\n\n  \xe2\x80\xa2     Unauthenticated users have access to 17 registry keys that contain\n        server configuration information.\n\n  \xe2\x80\xa2     Unauthenticated users can query information from the server.\n\n\n\n\n                                       -34-\n\x0c  \xe2\x80\xa2     A Default user name is displayed at login.\n\n  \xe2\x80\xa2     There are no restrictions on who can define system attributes.\n\n  \xe2\x80\xa2     Idle users are not disconnected after 15 minutes.\n\n  \xe2\x80\xa2     Pagefile is not cleared at shutdown.\n\n  \xe2\x80\xa2     Integrity checking is not being performed.\n\n  \xe2\x80\xa2     The LMCompatibilityLever registry key is not securely set.\n\n  \xe2\x80\xa2     The minimum security that is used for programs that use the NTLM\n        Security Support Provider (SSP), or uses secure Remote Procedure\n        Call [RPC] is not specified.\n\n  \xe2\x80\xa2     Server Message Block (SMB) Signing is not being used.\n\n  \xe2\x80\xa2     Users are allowed to schedule jobs on the server.\n\n  \xe2\x80\xa2     Guests can view the system event and system application logs.\n\nCause:\n\nThe ITS II management did not develop documented standard configuration\npolicy for securing Windows NT registry settings.\n\nCriteria:\n\nDOJ Order 2640.2D Chapter 2 Section 16, states: \xe2\x80\x9cAccess controls shall be\nin place and operational for all Department IT systems to:.\xe2\x80\xa6 Protect the\nsystem, its data and applications, from unauthorized disclosure,\nmodification, or erasure."\n\nRisk:\n\nBy not having the registry keys set to their most secure setting, the\nsystem is vulnerable to misuse and overall system security is weakened.\n\nRecommendations:\n\n  23. We recommend that the BOP Director ensure that BOP management\n      develop, implement, and monitor documented policy establishing\n      specific security standards and settings for NT registry settings. At a\n\n\n\n\n                                      -35-\n\x0c        minimum, these standards and settings should include reconfiguring\n        the registry settings to a more secure configuration.\n\nIssue: Security Patches\n\nSecurity patches contain update information for the operating system that\ncorrect bugs or vulnerabilities in the software.\n\nCondition:\n\nThe operating system software is not kept up to date with respect to\nsecurity patches.\n\nCause:\n\nThe ITS II management has not developed documented procedures for\nupdating computer security patches.\n\nCriteria:\n\nNIST SP 800-13 Section 5.10, Telecommunications Security Guidelines for\nTelecommunications Management Network, states: "All new software\nfeatures and patches shall be tested first on a development system and\napproved by an appropriate testing organization, prior to installation on an\noperational system. Tests that modify live data shall not be performed. A\nrisk analysis shall be conducted of proposed software changes to determine\ntheir impact on network element (NE) security. Any changes to security\nfeatures or security defaults shall be documented and made available to the\nuser before the software is distributed."\n\nRisk:\n\nIf the version of the operating system and the security patches are not\ncurrent, there is an increased risk that an unauthorized user may be able\nto exploit weaknesses.\n\nRecommendation:\n\n  24. We recommend that the BOP Director ensure that BOP management\n      obtain the latest security patches from the operating system vendor.\n      The patches should be properly installed and configured.\n\n\n\n\n                                    -36-\n\x0cIssue: Router Configuration\n\nCondition:\n\n  \xe2\x80\xa2   Source routing can be used to bypass the router\xe2\x80\x99s route tables and\n      potentially gain access to unauthorized portions of the network.\n\n  \xe2\x80\xa2   Administrators can use the Internet protocol (IP) alias command to\n      assign multiple IP addresses to the router. For example, in addition to\n      the primary alias address, addresses can be specified that correspond\n      to lines or rotary groups. Using the IP alias command in this way\n      makes the process of connecting to a specific rotary group transparent\n      to the user. If the IP alias command is enabled on Cisco products,\n      transmission control protocol (TCP) connections to any destination port\n      are considered valid connections.\n\n  \xe2\x80\xa2   The TCP intercept feature helps prevent SYN-flooding attacks by\n      intercepting and validating TCP connection requests. In intercept\n      mode, the TCP intercept software intercepts SYN packets from clients\n      to servers that match an extended access list. The software\n      establishes a connection with the client on behalf of the destination\n      server, and if successful, establishes the connection with the server on\n      behalf of the client and knits the two half-connections together\n      transparently. Thus, connection attempts from unreachable hosts will\n      never reach the server. The software continues to intercept and\n      forward packets throughout the duration of the connection. In the\n      case of illegitimate requests, the software\'s aggressive timeouts on\n      half-open connections and its thresholds on TCP connection requests\n      protect destination servers while still allowing valid requests.\n\n  \xe2\x80\xa2   Encryption is not being used on the router. Sensitive information may\n      be the target of sniffing attacks by unauthorized users. If transactions\n      are occurring that contain highly confidential information, it may be\n      vulnerable to sniffing if it is not encrypted. Hash algorithms will help\n      mitigate against a loss of data integrity should the data be\n      manipulated in transit.\n\nCause:\n\nThe ITS II management has not properly configured the Cisco router.\n\nCriteria:\n\nDOJ Order 2640.2D Chapter 2 Section 16, states: \xe2\x80\x9cAccess controls shall be\nin place and operational for all Department IT systems to:\xe2\x80\xa6. Protect the\n\n\n\n                                     -37-\n\x0csystem, its data and applications, from unauthorized disclosure,\nmodification, or erasure."\n\nRisk:\n\nWithout properly configuring the Cisco router, attackers can potentially gain\naccess to unauthorized portions of the network.\n\nRecommendation:\n\n   25. We recommend that the Director of the BOP ensure that BOP\n       management develop, implement, and monitor documented policy\n       establishing specific security standards and settings for router\n       configuration. At a minimum, these standards and settings should:\n\n         a. Issue the \xe2\x80\x9cno ip source-route\xe2\x80\x9d command in interface\n            configuration mode.\n\n         b. Issue the \xe2\x80\x9cno ip alias\xe2\x80\x9d command in configuration mode.\n\n         c. Issue the command: \xe2\x80\x9cip tcp intercept list yyy,\xe2\x80\x9d (where yyy is the\n             access list number to which the connections will be intercepted),\n             in configuration mode.\n\n         d. Enable encryption via the \xe2\x80\x9ccrypto map\xe2\x80\x9d command.\n\nIssue: Fail-over Capabilities\n\nFail-over is hardware or software backup to which the system switches to\nin the event of a failure.\n\nCondition:\n\nThe Cisco\'s fail-over capabilities are not in place.\n\nCause:\n\nThe BOP ITS II security management did not develop documented\nconfiguration standards for securing BOP\'s Cisco routers. In addition, Cisco\'s\nhot standby router protocol (HSRP) fail-over capability has not been\nimplemented on the router.\n\n\n\n\n                                      -38-\n\x0cCriteria:\n\nDOJ Order 2640.2D Chapter 2 Section 16, states: \xe2\x80\x9cAccess controls shall be\nin place and operational for all Department IT systems to:\xe2\x80\xa6. Protect the\nsystem, its data and applications, from unauthorized disclosure,\nmodification, or erasure."\n\nRisk:\n\nCisco internet operating system (IOS) and hardware offers advanced fail-\nover capabilities in case of hardware or software failure. Mission critical\nrouters (typically core routers) may be good candidates to take\nadvantage of the Cisco fail-over capabilities.\n\nRecommendation:\n\n   26. We recommend that the BOP Director ensure that BOP management\n       implement Cisco\'s fail-over capabilities by configuring HSRP on\n       critical external routers.\n\nIssue: Command Line Access\n\nInformation on the router configuration can be retrieved or entered via\ncommand-line access.\n\nCondition:\n\n   \xe2\x80\xa2    Different levels of PRIV EXEC access have not been defined. It may\n        not be necessary for all administrators or users to have full privileged\n        access to the router. Administrators that do not require this\n        functionality can make unauthorized changes to the configuration.\n\n   \xe2\x80\xa2    Anyone on the BOP network can access a login prompt to the router.\n        Allowing anyone on the network access to the login prompt increases\n        the risk of unauthorized access to the router.\n\n   \xe2\x80\xa2    Telnet is being used to access the router. Telnet sessions transmit\n        information, including usernames and passwords, in clear text. If an\n        unauthorized user were to capture this information, it may place\n        critical network devices at risk of compromise.\n\n   \xe2\x80\xa2    AAA (Authentication, Authorization, and Accounting) has not been\n        implemented. AAA provides for more granular levels of accounting\n        and access privileges. These can be helpful in complex environments\n\n\n\n\n                                       -39-\n\x0c        where resources are being accessed by different users in multiple\n        ways.\n\n  \xe2\x80\xa2     Timeout values have not been assigned to all console terminals on the\n        router. Timeout sessions provide additional security against consoles\n        that are left unattended. If a user can gain access to a console left\n        unattended they can modify the router\xe2\x80\x99s configuration.\n\nCause:\n\nThe BOP management did not develop documented configuration\nstandards for securing BOP\'s Cisco routers.\n\nCriteria:\n\nDOJ Order 2640.2D Chapter 2 Section 16, states: \xe2\x80\x9cAccess controls shall be\nin place and operational for all Department IT systems to: Protect the\nsystem, its data and applications, from unauthorized disclosure,\nmodification, or erasure."\n\nRisk:\n\nAllowing anyone on the network access to the login prompt increases the\nrisk of unauthorized access to the router.\n\nRecommendation:\n\n  27. We recommend that the Director of the BOP ensure that BOP\n      management develop, implement, and monitor documented policy\n      establishing specific security standards and settings for command\n      line access. At a minimum, these standards and settings should\n      include:\n\n             a. Enter the following command: privilege level command, in\n                global configuration mode.\n\n             b. Create an appropriate access-list using the access-list\n                command in configuration mode. Once the access list has\n                been created, apply it to the appropriate terminal (typically\n                vty 0 4) using the access-group <basic access list number> in\n                command.\n\n             c. Enable SSH on the router.\n\n             d. Enable Authentication, Authorization, and Accounting.\n\n\n\n                                      -40-\n\x0c             e. Establish a session timeout.\n\nC. Audit Trails. Auditing provides the ability to detect and record security-\n   related events. It tracks the activities of users by recording information\n   about specific types of events, such as logon and logoff, file and object\n   access, use of user rights, user and group management, security policy\n   changes, restart, shutdown, and system events in a security log on the\n   server.\n\nIssue: Activity Logs\n\nCondition:\n\nSystem activities are not adequately logged and reviewed on a regular basis\non the BOP ITS II system.\n\nCause:\n\nThe ITS II management did not develop procedures for collecting, reviewing\nand archiving activity logs.\n\nCriteria:\n\nDOJ Order 2640.2D Chapter 2, Section 19, states: \xe2\x80\x9cDepartment IT systems\nshall:\n\n  1. Maintain an audit trail of activity sufficient to reconstruct security\n     relevant events.\n\n  2. Include in the audit trail the identity of each entity accessing the\n     system, time and date of the access, time and date the entity\n     terminated access, activities performed using an administrator\xe2\x80\x99s\n     identification, and activities that could modify, bypass, or negate the\n     system\xe2\x80\x99s security safeguards.\n\n  3. Protect the audit trail from actions such as unauthorized access,\n     modification, and destruction that would negate its forensic value.\n\n  4. Retain the audit trail for a period of 90 days, the minimum record\n     retention period specified by the component, or the period specified in\n     the system security plan, whichever is longer.\n\n         a. Audit trails shall be reviewed in compliance with the review\n            period specified for the audit trail in the system\xe2\x80\x99s security plan.\n\n\n\n                                      -41-\n\x0c         b. IT systems operating in the Dedicated Mode of Operation or in a\n            stand-alone environment that do not implement an audit trail\n            must be justified and documented in the risk analysis and\n            certification process.\xe2\x80\x9d\n\nRisk:\n\nInsufficient logging will result in the lack of an audit trail in the event of\nunauthorized access or use. Insufficient reviewing of audit logs will result in\nadministrators not being alerted to any unauthorized activity as early as\npossible. Also, with good logging and monitoring, administrators are often\ngiven early warnings for hardware and software errors or problems.\n\nRecommendation:\n\n   28. We recommend that the BOP Director ensure that BOP management\n       develop procedures for logging and monitoring system activity and\n       require that audit logs be reviewed periodically.\n\nCONCLUSION\n\n      Our review disclosed that security controls need improvement to fully\nprotect the ITS II from unauthorized use, loss, or modification. Specifically,\nwe found security vulnerabilities in the areas of life cycle, authorize\nprocessing, system security plan, personnel security, physical and\nenvironmental protection, production, input/output controls, contingency\nplanning, hardware and systems software maintenance, data integrity,\nincident response capability, identification and authentication, logical access\ncontrols, and audit trails.\n\n       We concluded that these vulnerabilities occurred because BOP\nmanagement did not fully develop, document, or enforce agency-wide\npolicies in accordance with current Department policies and procedures.\nAdditionally, the Department did not enforce its security policies and\nprocedures to ensure the ITS II was protected from unauthorized use, loss,\nor modification through its certification and accreditation process.\n\n\n\n\n                                     -42-\n\x0c                                                                   APPENDIX I\n\n      NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY\n                  GENERAL CONTROL AREAS\n\n     The review focused on evaluating the adequacy of management,\noperational and technical controls over the following specific control areas:\n\nI. MANAGEMENT CONTROLS. Management controls focus on the\nmanagement of the IT security system and the management of risk for a\nsystem. They are techniques and concerns that are normally addressed by\nmanagement.\n\n      \xe2\x80\xa2 Risk Management. Risk is the possibility of something adverse\n         happening. Risk management is the process of assessing risk,\n         taking steps to reduce risk to an acceptable level, and maintaining\n         that level of risk. Assessing risk management involves evaluating\n         the BOP\xe2\x80\x99s efforts to complete the following critical procedures:\n\n         o Periodic performance of a system risk assessment had been\n           performed.\n         o Program officials understand the risk to systems under their\n           control and had determined the acceptable level of risk.\n\n      \xe2\x80\xa2 Review of Security Controls. Routine evaluations and response to\n         identified vulnerabilities are important elements of managing\n         security controls of a system. Determining whether review of\n         security controls had been adequately performed requires the\n         auditor to assess if the following critical items were completed:\n\n         o A system security control review had been performed for both\n           ITS II and interconnected systems.\n         o Management ensured effective implementation of corrective\n           actions.\n\n      \xe2\x80\xa2 Life Cycle. Like other aspects of an IT system, security is best\n         managed if planned for throughout the IT system life cycle. There\n         are many models for the IT system life cycle but most contain five\n         basic phases: initiation, development/acquisition, implementation,\n         operation, and disposal. Assessing a system\xe2\x80\x99s life cycle involves\n         identifying if the following critical items are in place for the ITS II:\n\n         o A system development life cycle methodology.\n         o System change controls as programs progress through testing to\n           final approval.\n\n\n\n                                      -43-\n\x0c     \xe2\x80\xa2 Authorize Processing (Certification and Accreditation).\n       Authorize processing (also referred to as certification and\n      accreditation) provides a form of assurance of the security of the\n      system. To determine whether the ITS II had been appropriately\n      authorized to process data involves analyzing critical documents that\n      identify whether:\n\n        o The system had been certified/recertified and authorized to\n          process (accredited).\n        o The system is operating on an interim authority in accordance\n          with specified agency procedures.\n\n     \xe2\x80\xa2 System Security Plan. A system security plan provides an\n        overview of the security requirements of the system and describes\n        the controls in place or planned for meeting those requirements.\n        The plan delineates responsibilities and expected behavior of all\n        individuals who access the system. Assessing whether the ITS II\n        has an adequate system security plan requires identifying if the\n        following critical elements were met:\n\n        o A system security plan had been documented for the system and\n          all interconnected systems if the boundary controls are\n          ineffective.\n        o The plan is kept current.\n\nII. OPERATIONAL CONTROLS. Operational controls address security\ncontrols that are implemented and executed by people. These controls are\nput in place to improve the security of a particular system. They often\nrequire technical or specialized expertise and rely upon management\nactivities as well as technical controls.\n\n     \xe2\x80\xa2 Personnel Security. Many important issues in computer security\n        involve human users, designers, implementers, and managers. A\n        broad range of security issues relates to how these individuals\n        interact with computers and the access and authorities they need to\n        do their jobs. Assessing personnel security involves evaluating the\n        BOP efforts to complete the following critical procedures:\n\n        o Duties are separated to ensure least privilege and individual\n          accountability.\n        o Appropriate background screening is completed.\n\n\n\n\n                                   -44-\n\x0c\xe2\x80\xa2 Physical and Environmental Protection. Physical security and\n   environmental security are the measures taken to protect systems,\n   buildings, and related supporting infrastructures against threats\n   associated with their physical environment. Assessing physical and\n   environmental protection involves evaluating the BOP efforts to\n   complete the following critical procedures:\n\n  o Adequate physical security controls have been implemented and\n    are commensurate with the risks of physical damage or access.\n  o Data is protected from interception.\n  o Mobile and portable systems are protected.\n\n\xe2\x80\xa2 Production, Input/Output Controls. There are many aspects to\n   supporting IT operations. Topics range from a user help desk to\n   procedures for storing, handling, and destroying media. Assessing\n   production, input/output controls involves evaluating the BOP\n   efforts to complete the following critical procedures:\n\n  o User support is being provided to ITS II users.\n  o Media controls are in place for the ITS II.\n\n\xe2\x80\xa2 Contingency Planning. Contingency planning ensures continued\n   operations by minimizing the risk of events that could disrupt\n   normal operations and having an approach in place to respond to\n   those events should they occur. Assessing contingency planning\n   involves evaluating the BOP\xe2\x80\x99s efforts to complete the following\n   critical procedures:\n\n  o Identify the most critical and sensitive operations and their\n    supporting computer resources.\n  o Develop and document a comprehensive contingency plan.\n  o Have tested contingency/disaster recovery plans in place.\n\n\xe2\x80\xa2 Hardware and System Software Maintenance. These are\n   controls used to monitor the installation of, and updates to,\n   hardware and software to ensure that the system functions as\n   expected and that a historical record is maintained of changes.\n   Some of these controls are also covered in the Life Cycle Section.\n   Assessing hardware and system software maintenance involves\n   evaluating the BOP efforts to complete the following critical\n   procedures:\n\n  o Access is limited to system software and hardware.\n  o All new and revised hardware and software are authorized,\n    tested and approved before implementation.\n\n\n\n                              -45-\n\x0c    o Systems are managed to reduce vulnerabilities.\n\n\xe2\x80\xa2 Data Integrity. Data integrity controls are used to protect data\n   from accidental or malicious alteration or destruction and to provide\n   assurance to the user that the information meets expectations\n   about its quality and integrity. Assessing data integrity involves\n   evaluating the BOP efforts to complete the following critical\n   procedures:\n\n    o Virus detection and elimination software is installed and\n      activated.\n    o Data integrity and validation controls are used to provide\n      assurance that the information has not been altered and the\n      system functions as intended.\n\n\xe2\x80\xa2 Documentation. The documentation contains descriptions of the\n   hardware, software, policies, standards, procedures, and approvals\n   related to the system and formalize the system\xe2\x80\x99s security controls.\n   Assessing documentation involves evaluating the BOP\xe2\x80\x99s efforts to\n   complete the following critical procedures:\n\n    o There is sufficient documentation that explains how\n      software/hardware is to be used.\n    o There are documented formal security and operational\n      procedures.\n\n\xe2\x80\xa2 Security Awareness, Training, and Education. People are a\n   crucial factor in ensuring the security of computer systems and\n   valuable information resources. Security awareness, training, and\n   education enhance security by improving awareness of the need to\n   protect system resources. Additionally, training develops skills and\n   knowledge so computer users can perform their jobs more securely\n   and build in-depth knowledge. Assessing security awareness,\n   training, and education involves evaluating the BOP efforts to\n   complete the following critical procedures:\n\n    o Employees have received adequate training to fulfill their\n      security responsibilities.\n\n\xe2\x80\xa2   Incident Response Capability. Computer security incidents are\n    an adverse event in a computer system or network. Such incidents\n    are becoming more common and their impact is far-reaching. The\n    following questions are organized according to two critical elements.\n    Assessing incident response capability involves evaluating the BOP\n    efforts to complete the following critical procedures:\n\n\n\n                               -46-\n\x0c         o There is a capability to provide help to users when a security\n           incident occurs in the system.\n         o Incident related information is shared with appropriate\n           organizations.\n\nIII. TECHNICAL CONTROLS. Technical controls focus on security controls\nthat the computer system executes and depend upon the proper functioning\nof the system to be effective. Technical controls require significant\noperational considerations and should be consistent with the management of\nsecurity within the organization.\n\n     \xe2\x80\xa2   Identification and Authentication. Identification and\n         authentication is a technical measure that prevents unauthorized\n         people or processes from entering an IT system. Access control\n         usually requires that the system be able to identify and differentiate\n         among users. Authentication is verification that a person\xe2\x80\x99s claimed\n         identity is valid and it is usually implemented through the use of\n         passwords. Assessing identification and authentication involves\n         evaluating the BOP\xe2\x80\x99s efforts to complete the following critical\n         procedures:\n\n         o Users are individually authenticated via passwords and other\n           devices.\n         o Access controls are enforcing segregation of duties.\n\n     \xe2\x80\xa2   Logical Access Controls. Logical access controls are the system-\n         based mechanisms used to designate who or what is to have access\n         to a specific system resource and the type of transactions and\n         functions that are permitted. Assessing logical access controls\n         involves evaluating the BOP\xe2\x80\x99s efforts to complete the following\n         critical procedures:\n\n         o Logical access controls restrict users to authorized transactions\n           and functions.\n         o There are logical controls over network access.\n         o There are controls implemented to protect the integrity of the\n           application and the confidence of the public when the public\n           accesses the system.\n\n     \xe2\x80\xa2   Audit Trails. Audit trails maintain a record of system activity by\n         system or application processes and by user activity. In\n         conjunction with appropriate tools and procedures, audit trails can\n         provide individual accountability, a means to reconstruct events,\n         detect intrusions, and identify problems. Assessing audit trails\n\n\n\n                                     -47-\n\x0cinvolves evaluating the BOP\xe2\x80\x99s efforts to complete the following\ncritical procedures:\n\no Activity involving access to and modification of sensitive or\n  critical files is logged and monitored and possible security\n  violations are investigated.\n\n\n\n\n                            -48-\n\x0c       APPENDIX II\n\n\n\n\n-49-\n\x0c-50-\n\x0c-51-\n\x0c-52-\n\x0c-53-\n\x0c-54-\n\x0c-55-\n\x0c-56-\n\x0c-57-\n\x0c-58-\n\x0c-59-\n\x0c                                                            APPENDIX III\n\n          OIG, AUDIT DIVISION ANALYSIS AND SUMMARY\n            OF ACTIONS NECESSARY TO CLOSE REPORT\n\nRecommendation Number:\n\n  1. Resolved. In order to close this recommendation, the Bureau of Prisons\n     (BOP) needs to incorporate security requirements into the development\n     and acquisition phases of the SDLC.\n\n  2. Resolved. In order to close this recommendation, the BOP needs to\n     incorporate procedures to document certification testing activities,\n     update system documentation when security controls are added, retest\n     security controls, and recertify the system after changes have been\n     made.\n\n  3. Resolved. In order to close this recommendation, the BOP needs to\n     update operating controls as outlined in the June 2002 Security Test and\n     Evaluation (ST&E) report, and complete the \xe2\x80\x9cConditions of Certification\xe2\x80\x9d\n     outlined in the Inmate Telephone System II (ITS II) certification\n     statement.\n\n  4. Resolved. In order to close this recommendation, the BOP needs to\n     require all users, including vendor and contractor personnel, to read\n     and sign the Rules of Behavior document (BOP Directive 1237-12) to\n     ensure users are aware of its contents.\n\n  5. Resolved. In order to close this recommendation, the BOP needs to\n     incorporate guidelines for developing security plans outlined in the\n     National Institute of Standard Technology (NIST) Special Publication\n     (SP) 800-18 into the current ITS II security plan and incorporate the\n     plan into the overall IRM strategic plan for the BOP.\n\n  6. Resolved. In order to close this recommendation, the BOP needs to\n     conduct an analysis on the current staff shortages by determining the\n     current security and system administrator skills on the current BOP\n     team and ensure that those individuals are moved to positions that do\n     not conflict.\n\n  7. Resolved. In order to close this recommendation, the BOP needs to\n     enforce procedures in accordance with the BOP Directive 1237.11 and\n     Department policy for the distribution of the BOP\xe2\x80\x99s documented\n     procedures on how to maintain ITS II user accounts to ITS II security\n     staff and contractor personnel.\n\n\n\n                                   -60-\n\x0c 8. Resolved. In order to close this recommendation, the BOP needs to\n    implement all of the recommendations outlined in the June 2002 ST&E\n    report, specifically those outlined in section 4.12.\n\n 9. Resolved. In order to close this recommendation, the BOP needs to\n    document a process to control the transfer of media and BOP data.\n\n10. Resolved. In order to close this recommendation, the BOP needs to\n    ensure the contingency plan is distributed to appropriate individuals,\n    including contractor staff.\n\n11. Resolved. In order to close this recommendation, the BOP needs to\n    develop a configuration standard for all systems that incorporates the\n    most restrictive security settings possible.\n\n12. Resolved. In order to close this recommendation, the BOP needs to\n    develop policies and procedures surrounding the use of intrusion\n    detection software and integrity validation software.\n\n13. Resolved. In order to close this recommendation, the BOP needs to\n    develop a policy for incident handling, response, and personnel\n    support.\n\n14. Resolved. In order to close this recommendation, the BOP needs to\n    enforce Department password policies and procedures and install and\n    activate a password filter on all servers to enforce parameters that\n    enforce restrictions on passwords.\n\n15. Resolved. In order to close this recommendation, the BOP needs to\n    develop and monitor documented procedures establishing specific\n    security standards and settings for access controls.\n\n16. Resolved. In order to close this recommendation, the BOP needs to\n    develop and monitor documented procedures establishing specific\n    security standards and settings for user authentication and access.\n\n17. Resolved. In order to close this recommendation, the BOP needs to\n    implement the system key utility and restrict services so that they are\n    running in a secured context.\n\n18. Resolved. In order to close this recommendation, the BOP needs to\n    develop, implement, and monitor documented procedures establishing\n    specific security standards and settings for network controls.\n\n\n\n\n                                   -61-\n\x0c19. Resolved. In order to close this recommendation, the BOP needs to\n    develop, implement, and monitor documented procedures establishing\n    specific security standards and settings for user and group\n    management controls.\n\n20. Resolved. In order to close this recommendation, the BOP needs to\n    develop, implement, and monitor documented procedures establishing\n    specific security standards and settings for account integrity\n    management.\n\n21. Resolved. In order to close this recommendation, the BOP needs to\n    develop, implement, and monitor documented procedures establishing\n    specific security standards and settings for file system access.\n\n22. Resolved. In order to close this recommendation, the BOP needs to\n    develop, implement, and monitor documented procedures establishing\n    specific security standards and settings for maintenance controls.\n\n23. Resolved. In order to close this recommendation, the BOP needs to\n    develop, implement, and monitor documented procedures establishing\n    specific security standards and settings for Windows NT registry\n    settings.\n\n24. Resolved. In order to close this recommendation, the BOP needs to\n    obtain the latest security patches from the operating system vendor.\n\n25. Resolved. In order to close this recommendation, the BOP needs to\n    develop, implement, and monitor documented procedures establishing\n    specific security standards and settings for router configuration.\n\n26. Unresolved. In order to resolve this recommendation, the BOP needs\n    to comply with the recommendation to implement Cisco\xe2\x80\x99s fail-over\n    capabilities by configuring hot standby router protocol (HSRP) on\n    critical external routers. In addition, the BOP needs to provide the\n    OIG with documentation reflecting the current fail-over capabilities for\n    Cisco routers residing on the ITS II network.\n\n27. Resolved. In order to close this recommendation, the BOP needs to\n    develop, implement, and monitor documented procedures establishing\n    specific security standards and settings for command line access.\n\n28. Resolved. In order to close this recommendation, the BOP needs to\n    develop procedures for logging and monitoring system activity and\n    require that audit logs be reviewed.\n\n\n\n\n                                   -62-\n\x0c'